Roaming Computing System (Windows Edition) 3.3 - Accidental Administrator's Guide

Administration Tips

You have a domain administrator account called winadmin and a domain user account called winuser. Use these domain accounts (DOMAIN\winadmin and DOMAIN\winuser) rather than machine accounts (MACHINE(?)\administrator). If you have to give out the domain administrator account to someone temporarily, it is subsequently easier to change this once rather than change the administrator account on every workstation.

Connecting to the server's underlying file system / operating system from any workstation

To login to the server at the command-line from a Windows workstation use PuTTY via Start → Programs → Internet → PuTTY → PuTTY. Enter server into 'Host Name (or IP address) and choose Open. You can paste commands into the PuTTY terminal by copying in the usual then way just pressing the right-mouse button within PuTTY. To copy text from a PuTTY terminal just highlight the text, it is then automatically in the paste buffer and can be pasted elsewhere.

(Beware, when pasting from guides at thegoldenear.org, PuTTY on windows will include a carriage return at the end of a command where as ssh on linux will not. Some of the commands in these guides assume you don't use a carriage return when pasting them so that the line can be edited before hitting [Enter].

To login to the server at the command-line from a Linux workstation use ssh, using the command ssh root@server.

To transfer files between a Windows workstation and the server at its operating system level use WinSCP on the workstation via Start → Programs → Internet → WinSCP.

To transfer files between a Linux workstation and the server at its operating system level use any of the FTP programs such as FileZilla or gFTP.

Deleting Accounts

Delete A User's Domain Account

Delete their account, with either:

• You should be able to do so from within Windows
• From the command-line on the server:
  net rpc user delete <username>

Note that this doesn't delete their home directory (H:, or /home/<username>). Deleting it from the command-line is considered too risky for readers of this guide because of the dire consequences of getting it wrong. Ask your technical administrator to do this for you if you need it.

Creating new restricted groups

A group of users can have their own directory on R: where they share files only they have access to. You need to be logged into the server console as root to add new groups.

Create a group that your group of users will be a member of:
# addgroup <sub-group>

Create a directory for them to keep their files in:
# mkdir /home/<organisation>/restricted/<sub-group>

Make the group you just created the owner of the directory you just created:
# chgrp <sub group> /home/<organisation>/restricted/<sub group>

Set permissions so only file and directory owners and those in the group have read and write access to them:
# chmod 2770 /home/<organisation>/restricted/<sub group>

Add existing users to the group, individually:
# adduser <username> <sub-group>

Server Updates Affecting Users

Samba

It's OK to restart Samba (at the command-line you use /etc/init.d/samba restart) when people are logged in with documents open, even if they have unsaved work. You should, though, ask people to not save work for a moment whilst you restart Samba. If you restart Samba then people try to save unsaved work too soon, before Samba is properly restarted, OpenOffice, for example, will say "Error saving the document <document name>: General Error. General input/output error." but allow you to try saving again; where as GIMP will automatically wait until the Samba share is available again and then save; Thunderbird won't be affected at all unless you are using local folders and have located them on a network share.

Networking

TODO (/etc/init.d/networking restart)

Things you must not change

• DNS domain - it's localdomain, Debian's default. The mail server relies on this remaining the same.
• server name - it's 'server'. The mail server relies on this remaining the same.
• Samba server name or domain(?) - this will require workstations to have to re-join the domain
• server IP address - it's 10.0.0.10. Don't change it, but if you really need to then you need to change it in:
• server's /etc/network/interfaces
• server's /etc/resolv.conf (TODO: do we change it WRT /etc/resolvconf if resolvconf installed?)
• server's /etc/postfix/main.cf
• server's Samba - see xania.org/200809/samba-problems-after-ip-change
• /etc/init.d/samba stop
• rm /var/cache/samba/browse.dat
• rm /var/lib/samba/wins.dat
• /etc/init.d/samba start
• Firewall - any static hosts such as server → 10.0.0.10
• winuser password - it's used by WPKG Client [TODO: maybe we should have a dedicated wpkg account instead]

Windows Workstations

You cannot change a workstation's name direcly. You must first disconnect from the domain by swapping the domain name for a workgroup name; give the winadmin or root account so as to leave the domain; restart the workstation; change the name; restart again; reconnect to the domain.

Troubleshooting

Server

The most common complaint with the server is the assumption that email isn't going in or out. You can leave the server logged in running one or more of these commands to show incoming and outgoing mail:

• tail -f /var/log/syslog
• tail -f /var/log/mail.log

If the server crashes it will leave complex messages on the screen. usually you can restart the server with ctrl+alt+del. Try this but if it fails to get the server to respond, by saying it is shutting down, then power cycle it. The messages on the screen will be available in the logs (/var/log/syslog and /var/log/messages) for whomever wants to look.

User Accounts

If someone is having trouble logging on, can they log on elsewhere? can others logon on the machine they're having trouble with?

WPKG

WPKG logs to %TEMP%, the system temp location, in a file called wpkg-<machine name>.log

Backup

The server backs up to a directly connected USB-attached hard disk. You connect the disk and leave it over-night, replacing it with another disk the next day. The backup runs at 04:00. You do not need to issue any commands, everything is automatic. If there were any errors they are written to a log file (/var/log/backup-<date>-<time>) [though they should be emailed to the administrator].

The disk uses a Unix filesystem (ext3) so cannot be read on Microsoft Windows systems without an add-on which don't currently provide. The data is saved directly to the disk, it is not zipped up. Note that the backup will grow over time. You can read it on any Linux system or on Windows [TODO: details will be added here as to how to access them using Windows].

If you connect the disk to the server you can read it by issuing the command, whilst root: mount /media/backup. The disk's contents will then be available in the /media/backup directory.

If you connect the disk to a Linux workstation its contents will appear on the desktop.

When you are looking at the backup disk, the following directories containg the following files:

• home/<your organisation name> - the organisation's shared S:. Permissions are such that you can read these files.
• home/<person's name> - each person's H:. Permissions are set so only the owner can read them unless you override those permissions.

Manual Software Application Updates

Typicallly updates are managed through WPKG but if you want to update the system manually some of the software applications make this really easy. If there is any risk of breaking the system they will be described here.

Adobe Reader

OpenOffice

During installation choose 'Custom' option and change the installation directory from C:\Program Files\OpenOffice.org 2.4\ to C:\Program Files\OpenOffice\.

Firefox

• Login to a workstation as administrator or into the domain as winadmin
• From within Firefox choose Help → Check for Updates
• If it says, for example, "Updates Available - An update for Firefox is available: Firefox 2.0.0.6" you can choose "Download & Install Now >>"

Thunderbird

• Login to a workstation as administrator
• From within Thunderbird choose Help → Check for Updates
• If it says, for example, "Updates Available - An update for Thunderbird is available: Thunderbird 2.0.0.6" you can choose "Download & Install Now >>"

Quickbooks

You should run the Quickbooks updater manually once a month.

F-Prot

F-Prot updates itself automatically.

Java Runtime Environment

Control Panel → Java → Update → Update Now.

The newly installed version will automatically become the default in Firefox.

This creates an additional installed copy to those versions already installed and so uses up an additional 70MB or more each time

[TODO: In OpenOffice, it isn't selected, does that mean anything?]

Software Application Tips And Tricks

Thunderbird

If you want a message inserted at the bottom of everyone's email, save it somewhere on S: so that staff can link to it from within thunderbird as a signature.

If people coming from Microsoft Outlook are missing particular aspects of Outlook's behaviour it's worth checking out Emulate Microsoft email clients to see if they can be catered for.

Physically moving a system from one location to another

It should be straight forward but you should expect something to go wrong as it invariably will.

For the server and workstations, moving involves turning them off properly, disconnecting all cables and reconnecting in the same manner at the other end. This should be straight forward for anyone to do as cables for everything can't be connected into the wrong socket. Just make sure you carefully pack up all cables together so that nothing is misplaced or broken. Obviously, treat computers with care in transit, but don't worry excessively as they can take a few knocks.

For hubs, the network cables probably don't need to be reconnected in any specific order, but even if they do it will only be one of the cables and you can see that by checking first if one is connected to a socket marked 'uplink'.

For the firewall, there are two network cables which need to specifically connect back into the same connectors from which they were removed. Some settings on the firewall will need to change if your static Internet address is going to change, which it probably is.

Keep backup disks seperate in case the server gets lost or stolen.

Take great care with laser printers as they are extremely fragile. It's probably worth removing toner cartridge(s) during transit.

You either connect to the Internet through your own modem or you're attached to an intranet provided by someone else and they have their own modem. Changes to your method of connecting to the Internet will need to be reflected in the firewall and modem.

Change of SMTP server for outgoing email. If you're piggy backing someone else's Internet connection you can ask them for the SMTP server name, or you can find out yourself. To find out yourself, use traceroute, or GRC's Shields up!, to find your external IP address. then do a whois lookup on that IP address to find who it is (you'll get, say, 'netname: BULLDOG-CHT', where 'Role:' is who owns them, 'Cable and Wireless Access Ltd', a Google search on 'bulldog smtp' reveals their SMTP address.

Document ¤ Version: 0.3.6 | Licence: GNU General Public License | Copyright: © 2007-2008 Pete Boyd
Site ¤ - URL: http://thegoldenear.org/ | Email: inkwire at thegoldenear dot org
Built using HTML 4.01 Strict and CSS. For best results, use a browser that supports open Standards.